Yes, your understanding is correct. Although, some REST services can be accessed directly, without passing by the server 2.
Getting a response is a matter of milliseconds, especially when data centers are close to each other geographically (because indeed, speed of light matters). If we are talking about small web apps, the REST service and the app may be hosted on the same machine, which may mean that the time lost exchanging data is less than a millisecond.
There are several authentication mechanisms. For instance, Server 2 may use an API key which is unknown by other servers. Another possibility is to look at the IP address of the client, although usually, it is a better idea to have the same authentication mechanism for internal and external use.
Yes. REST services are used for mobile applications, desktop applications, embedded apps, etc.
REST services can be used directly. Passing them through another server (would it be Server 2 in your diagram, or Server 3) adds a layer of complexity, but may sometimes be a valid choice.
Note that in many cases, multiple servers are involved anyway. For instance, for a small but reliable website which has no REST services:
The request to the home page of a website may be handled by a failover server (such as Nginx) which determines which one of two app servers should handle the request.
The app server starts handling the request.
This produces several log entries which are sent to a log server.
Since data is required, database servers are solicited. If the first database server is down, the failover one is used.
See? Without any REST services, five machines were used to generate a response (not counting different switches and network devices which were passing the request and the response).